Compliance White Papers

Healthcare organizations can now effectively assert too many of the mandated provisions with the HIPAA Security Rule by undertaking annual SOC 2 assessments by a Certified Public Accounting (CPA) firm. NDNB, one of North America’s leading providers of SOC 2 HIPAA compliance assessments, has developed a specific testing matrix that maps directly to the HIPAA Security Rule provisions of 164.308 to 164. 312, along with other applicable HIPAA mandates. It’s an incredibly efficient and comprehensive process for showcasing compliance with the Security Rule initiatives of the Health Insurance Portability and Accountability Act (HIPAA).

SOC 2 HIPAA compliance seems to be a hot topic these days as covered entities, business associates, and other applicable organizations seek to become compliant with the ever-growing HIPAA standards, particularly that of the HIPAA Security and Privacy Rules. A growing trend is to use the SOC 2 reporting option under the AICPA Service Organization Control framework – and the supporting Trust Services Principles – for reporting on HIPAA compliance. It’s therefore fundamentally important to take note of the following 5 critical points regarding SOC 2 HIPAA compliance.

1. HIPAA Scope is critical. The Health Insurance Portability and Accountability Act (HIPAA) is an incredibly large and complex piece of legislation signed into law by President Clinton in 1996, with many changes, modifications, and updates since then. With that said, it’s important to ask yourself “what specific provisions within HIPAA would a SOC 2 assessment cover”? Generally speaking, it’s about including Part 164, Subpart C for the following safeguards:

164.308: Administrative Safeguards

164.310: Physical Safeguards

164.312: Technical Safeguards

These three (3) safeguards are often the main emphasis for the large and growing number of HIPAA compliance assessments being undertaken today by service organizations deemed as business associates or covered entities.